added: hostNetwork toggle and dnsPolicy option to the dep. and values manifests (#1511)

Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2025-03-29 02:45:06 +00:00 · 2021-02-02 07:14:11 +05:30 · 2021-02-02 07:14:11 +05:30 · b4ab5413fd
commit b4ab5413fd
parent 03c77e4145
3 changed files with 18 additions and 0 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -68,9 +68,11 @@ Parameter | Description | Default
 `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false`
 `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil`
 `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]`
+`dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst`
 `extraArgs` | list of extra arguments to give the binary | `[]`
 `fullnameOverride` | override the expanded name of the chart | `nil`
 `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]`
+`hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false`
 `image.pullPolicy` | Image pull policy | `IfNotPresent`
 `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods)
 `image.repository` | Image repository | `ghcr.io/kyverno/kyverno`
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -37,6 +37,12 @@ spec:
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName | quote }}
      {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- end }}
+      {{- if .Values.dnsPolicy }}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
      initContainers:
        - name: kyverno-pre
          image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -42,6 +42,16 @@ affinity: {}
 nodeSelector: {}
 tolerations: []

+# change hostNetwork to true when you want the kyverno's pod to share its host's network namespace
+# useful for situations like when you end up dealing with a custom CNI over Amazon EKS
+# update the 'dnsPolicy' accordingly as well to suit the host network mode
+hostNetwork: false
+
+# dnsPolicy determines the manner in which DNS resolution happens in the cluster
+# in case of hostNetwork: true, usually, the dnsPolicy is suitable to be "ClusterFirstWithHostNet"
+# for further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+dnsPolicy: "ClusterFirst"
+
 extraArgs: []
 # - --webhooktimeout=4